Terrascan — Static Analysis for Infrastructure as Code Security

Introduction

Terrascan is a static code analyzer for Infrastructure as Code (IaC) that detects security misconfigurations and compliance violations before deployment. It scans Terraform, Kubernetes manifests, Helm charts, AWS CloudFormation, Azure ARM templates, and Dockerfiles against a library of over 500 policies mapped to benchmarks like CIS, SOC2, and PCI-DSS. By catching issues in code rather than in production, Terrascan shifts security left in the development lifecycle.

What Terrascan Does

• Scans Terraform HCL, Kubernetes YAML, Helm charts, CloudFormation, ARM templates, and Dockerfiles for security issues
• Ships with 500+ built-in policies mapped to CIS benchmarks, OWASP, and compliance frameworks
• Outputs results in JSON, YAML, SARIF, or human-readable format for CI integration
• Supports custom policies written in Rego (Open Policy Agent's policy language)
• Runs as a CLI tool, a Git pre-commit hook, or a server with a REST API for pipeline integration

Architecture Overview

Terrascan parses IaC files into a normalized intermediate representation regardless of the source format. It then evaluates this representation against a policy engine built on OPA (Open Policy Agent) Rego. Each policy is a Rego rule that checks for specific misconfigurations like open security groups, unencrypted storage, or containers running as root. Results are collected and rendered in the requested output format. The tool is written in Go for fast execution and ships as a single static binary.

Self-Hosting & Configuration

• Install via Homebrew, Go install, Docker (tenable/terrascan), or download binaries from GitHub releases
• Run terrascan scan in a directory to auto-detect IaC types and scan with default policies
• Specify the cloud provider with -t aws, -t azure, or -t gcp to apply provider-specific policies
• Add custom Rego policies by pointing to a policy directory with --policy-path
• Integrate into CI with terrascan scan --output sarif and upload results to GitHub Code Scanning or similar tools

Key Features

• Over 500 pre-built policies covering AWS, Azure, GCP, and Kubernetes security best practices
• Multi-IaC support scans Terraform, K8s, Helm, Docker, CloudFormation, and ARM in one tool
• Custom policy authoring in Rego lets teams encode organization-specific security rules
• Server mode exposes a REST API for centralized scanning in CI/CD pipelines
• SARIF output integrates with GitHub Advanced Security, VS Code, and other SARIF consumers

Comparison with Similar Tools

• Checkov — Python-based IaC scanner by Bridgecrew with similar coverage; Terrascan uses Rego policies for customization
• tfsec — Terraform-specific security scanner now merged into Trivy; Terrascan covers more IaC formats
• Trivy — All-in-one security scanner for containers, IaC, and code; broader scope but less IaC policy depth than Terrascan
• KICS — Checkmarx IaC scanner with 2000+ queries; similar breadth to Terrascan with a different policy language
• Snyk IaC — Commercial IaC scanning with a free tier; Terrascan is fully open source with no usage limits

FAQ

Q: What compliance frameworks does Terrascan cover? A: Built-in policies map to CIS benchmarks for AWS, Azure, GCP, and Kubernetes, plus SOC2, PCI-DSS, HIPAA, and GDPR controls.

Q: Can I use Terrascan in a pre-commit hook? A: Yes. Add Terrascan as a pre-commit hook to scan IaC files before every commit. The official repo includes a .pre-commit-hooks.yaml configuration.

Q: Does Terrascan scan Terraform state files? A: No. Terrascan scans Terraform HCL source files, not state files. It analyzes the declared configuration, not the deployed infrastructure.

Q: How do I suppress false positives? A: Add inline comments like #ts:skip=AC_AWS_0001 in your IaC files or create a skip rules file to suppress specific policy violations.

Sources

• https://github.com/tenable/terrascan
• https://runterrascan.io